Re: Keystore password not masked in server.xml file
On 02/14/2012 09:32 AM, Caldarale, Charles R wrote: From: Luca Marchesano [mailto:luca.marches...@ericsson.com] Subject: Keystore password not masked in server.xml file Is there a way to specify the keystore's password in encrypted way? Think about it: where are you going to put the encryption key so Tomcat can get at it to decode the encrypted password? Eventually, something must be in plain text, accessible to Tomcat. Secure your Tomcat configuration files so you don't have to worry about random users looking at them. - Chuck The OP's inquiry was quite reasonable as well as valid in a security aspect. The 'password' for the key store falls in the same category. I remember there were more than a few times the same and similar subject addressed, but i guess it's still as it was. To give an idea in terms of where to place and how to access, 1) The clear-text or enciphered-form password in the code. 2) The clear-text password in the connector in the server.xml can be replaced with the API method name that can provide the password. This simple mechanism can be either or both by Tomcat as default and/or custom-class that implements the defined API. Within the implementation, how the API method provided the password can be left to the implementation provider. In that way, each Tomcat will have unique as well as more secure depends how well implemented the password provisioning class implemented which can be left to the implementation provider. Anyhow, this is a basic idea where the password can be placed and how it can be accessed. And it can be easily implemented with reasonably short amount of time and effort. To go further more for multiple certificates for multiple vHosts such as SNI+OpenSSL(or alternatives), it will be a bit more challenging, but not so hard about it. Pae
Re: Keystore password not masked in server.xml file
On 19/02/2012 09:25, Pae Choi wrote: On 02/14/2012 09:32 AM, Caldarale, Charles R wrote: From: Luca Marchesano [mailto:luca.marches...@ericsson.com] Subject: Keystore password not masked in server.xml file Is there a way to specify the keystore's password in encrypted way? Think about it: where are you going to put the encryption key so Tomcat can get at it to decode the encrypted password? Eventually, something must be in plain text, accessible to Tomcat. Secure your Tomcat configuration files so you don't have to worry about random users looking at them. - Chuck The OP's inquiry was quite reasonable as well as valid in a security aspect. No it wasn't. It was illogical. Chris has already pointed to the FAQ entry that discusses this in more detail. I don't propose to repeat those arguments here but I will say the proposal below is nonsense. Mark The 'password' for the key store falls in the same category. I remember there were more than a few times the same and similar subject addressed, but i guess it's still as it was. To give an idea in terms of where to place and how to access, 1) The clear-text or enciphered-form password in the code. 2) The clear-text password in the connector in the server.xml can be replaced with the API method name that can provide the password. This simple mechanism can be either or both by Tomcat as default and/or custom-class that implements the defined API. Within the implementation, how the API method provided the password can be left to the implementation provider. In that way, each Tomcat will have unique as well as more secure depends how well implemented the password provisioning class implemented which can be left to the implementation provider. Anyhow, this is a basic idea where the password can be placed and how it can be accessed. And it can be easily implemented with reasonably short amount of time and effort. To go further more for multiple certificates for multiple vHosts such as SNI+OpenSSL(or alternatives), it will be a bit more challenging, but not so hard about it. Pae - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Keystore password not masked in server.xml file
On 02/19/2012 06:03 AM, Mark Thomas wrote: On 19/02/2012 09:25, Pae Choi wrote: On 02/14/2012 09:32 AM, Caldarale, Charles R wrote: From: Luca Marchesano [mailto:luca.marches...@ericsson.com] Subject: Keystore password not masked in server.xml file Is there a way to specify the keystore's password in encrypted way? Think about it: where are you going to put the encryption key so Tomcat can get at it to decode the encrypted password? Eventually, something must be in plain text, accessible to Tomcat. Secure your Tomcat configuration files so you don't have to worry about random users looking at them. - Chuck The OP's inquiry was quite reasonable as well as valid in a security aspect. No it wasn't. It was illogical. Chris has already pointed to the FAQ entry that discusses this in more detail. I don't propose to repeat those arguments here but I will say the proposal below is nonsense. Mark Which part of OP's comment illogical? is concerning the clear-text password illogical? Where is the part in the FAQ that describe *in more detail* part? I'll be interesting to read about it. Nonsense? Is logical and rational simply saying nonsense without any logical explanation? You could point out which part specifically you do not understand. Perhaps, security topic is too much for you to digest? When you do not understand, you simply just don't get it. Pae P.S.: Also, why I am seeing your post without my original posting? How funny! The 'password' for the key store falls in the same category. I remember there were more than a few times the same and similar subject addressed, but i guess it's still as it was. To give an idea in terms of where to place and how to access, 1) The clear-text or enciphered-form password in the code. 2) The clear-text password in the connector in the server.xml can be replaced with the API method name that can provide the password. This simple mechanism can be either or both by Tomcat as default and/or custom-class that implements the defined API. Within the implementation, how the API method provided the password can be left to the implementation provider. In that way, each Tomcat will have unique as well as more secure depends how well implemented the password provisioning class implemented which can be left to the implementation provider. Anyhow, this is a basic idea where the password can be placed and how it can be accessed. And it can be easily implemented with reasonably short amount of time and effort. To go further more for multiple certificates for multiple vHosts such as SNI+OpenSSL(or alternatives), it will be a bit more challenging, but not so hard about it. Pae - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Keystore password not masked in server.xml file
On 19/02/2012 12:17, Pae Choi wrote: On 02/19/2012 06:03 AM, Mark Thomas wrote: On 19/02/2012 09:25, Pae Choi wrote: On 02/14/2012 09:32 AM, Caldarale, Charles R wrote: From: Luca Marchesano [mailto:luca.marches...@ericsson.com] Subject: Keystore password not masked in server.xml file Is there a way to specify the keystore's password in encrypted way? Think about it: where are you going to put the encryption key so Tomcat can get at it to decode the encrypted password? Eventually, something must be in plain text, accessible to Tomcat. Secure your Tomcat configuration files so you don't have to worry about random users looking at them. - Chuck The OP's inquiry was quite reasonable as well as valid in a security aspect. No it wasn't. It was illogical. Chris has already pointed to the FAQ entry that discusses this in more detail. I don't propose to repeat those arguments here but I will say the proposal below is nonsense. Mark Which part of OP's comment illogical? is concerning the clear-text password illogical? Yes. Where is the part in the FAQ that describe *in more detail* part? I'll be interesting to read about it. Try reading the FAQ link Chris already pointed you to then. Nonsense? Is logical and rational simply saying nonsense without any logical explanation? As I previously stated, the FAQ article provides all the explanation required and I don't intend wasting my time copying and pasting it into an email message. You could point out which part specifically you do not understand. Perhaps, security topic is too much for you to digest? ROTFLMAO. I'll leave folks to check the archives to determine our relative credibility on that one. I'm confident I know what the result will be. When you do not understand, you simply just don't get it. Hopefully, but I suspect not, you'll come to the conclusion that it is in fact the other way around and that it is you that doesn't get it. Pae P.S.: Also, why I am seeing your post without my original posting? How funny! Yes, it is hilarious that you appear to be unable to configure your browser to show message threads correctly. I don't intend feeding this troll any further by replying to whatever reply this e-mail may generate but I do offer the following food for thought: When on an Apache mailing list and someone with an @apache.org address writes something you think is nonsense, there is a fairly good chance that they do in fact know what they are talking about. You may want to do a little more research before you start questioning their intelligence. I'm not saying that they won't make mistakes (and when they do, they'll be more than happy to own up to them), but it is advisable to be very sure of your ground before you start typing unless - of course - you are happy making yourself look like a complete idiot. Mark The 'password' for the key store falls in the same category. I remember there were more than a few times the same and similar subject addressed, but i guess it's still as it was. To give an idea in terms of where to place and how to access, 1) The clear-text or enciphered-form password in the code. 2) The clear-text password in the connector in the server.xml can be replaced with the API method name that can provide the password. This simple mechanism can be either or both by Tomcat as default and/or custom-class that implements the defined API. Within the implementation, how the API method provided the password can be left to the implementation provider. In that way, each Tomcat will have unique as well as more secure depends how well implemented the password provisioning class implemented which can be left to the implementation provider. Anyhow, this is a basic idea where the password can be placed and how it can be accessed. And it can be easily implemented with reasonably short amount of time and effort. To go further more for multiple certificates for multiple vHosts such as SNI+OpenSSL(or alternatives), it will be a bit more challenging, but not so hard about it. Pae - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Keystore password not masked in server.xml file
If you want to encrypt the password, you have to override the DBCP implementation to decrypt the encrypted password so that the real pwd is accessible or available to tomcat. On Tue, Feb 14, 2012 at 7:56 PM, Luca Marchesano luca.marches...@ericsson.com wrote: Hi all, I'm trying to configure a Tomcat 7.0.21 server in order to use the SSL connector. I've generated a keystore and specified it in the server.xml file, but I have to specify the keystore's password in clear in the connector's configuration. Is it possible to avoid that? Is there a way to specify the keystore's password in encrypted way? Thanks in advance, Luca
Keystore password not masked in server.xml file
Hi all, I'm trying to configure a Tomcat 7.0.21 server in order to use the SSL connector. I've generated a keystore and specified it in the server.xml file, but I have to specify the keystore's password in clear in the connector's configuration. Is it possible to avoid that? Is there a way to specify the keystore's password in encrypted way? Thanks in advance, Luca
RE: Keystore password not masked in server.xml file
From: Luca Marchesano [mailto:luca.marches...@ericsson.com] Subject: Keystore password not masked in server.xml file Is there a way to specify the keystore's password in encrypted way? Think about it: where are you going to put the encryption key so Tomcat can get at it to decode the encrypted password? Eventually, something must be in plain text, accessible to Tomcat. Secure your Tomcat configuration files so you don't have to worry about random users looking at them. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Keystore password not masked in server.xml file
On 14 Feb 2012, at 14:27, Luca Marchesano luca.marches...@ericsson.com wrote: Hi all, I'm trying to configure a Tomcat 7.0.21 server in order to use the SSL connector. I've generated a keystore and specified it in the server.xml file, but I have to specify the keystore's password in clear in the connector's configuration. Is it possible to avoid that? Is there a way to specify the keystore's password in encrypted way? If its encrypted, where will you put the decryption key? p Thanks in advance, Luca - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Keystore password not masked in server.xml file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luca, On 2/14/12 9:26 AM, Luca Marchesano wrote: I'm trying to configure a Tomcat 7.0.21 server in order to use the SSL connector. I've generated a keystore and specified it in the server.xml file, but I have to specify the keystore's password in clear in the connector's configuration. Is it possible to avoid that? Is there a way to specify the keystore's password in encrypted way? http://wiki.apache.org/tomcat/FAQ/Password - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk86k5oACgkQ9CaO5/Lv0PAA3ACeIvL8XHnIj9E7+bMfIKYbBuoV u4EAn0dchmLncs1/eHGmwtO7cr4kRKDD =c5gM -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org